Brocked200

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 3.0.13 **Description** BigBlueButton, an open-source virtual classroom, has a Stored Cross-Site Scripting (XSS) issue in the "Shared Notes" feature. The input location for this issue is the `Username` field, and the output is displayed on the "Shared Notes" page when a user with a malicious username edits content. This allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users, such as Admins, who open the "Shared Notes" page. **Recommendations** Update to BigBlueButton version 3.0.13 or later.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 3.0.13 **Description** BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) issue exists that allows any authenticated user to freeze or crash the server by abusing the polling feature's `Choices` response type. An attacker can submit a malicious payload with a massive array in the `answerIds` field, causing the current meeting – and potentially all meetings on the server – to become unresponsive. The attack leverages the `answerIds` field to overwhelm the server's processing capabilities. **Recommendations** Update to version 3.0.13 or later.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 3.0.13 **Description** BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) condition exists in versions prior to 3.0.13. An authenticated user can disrupt chat functionality for all meeting participants by sending a malformed `reactionEmojiId` within the `chatSendMessageReaction` GraphQL mutation. The vulnerability resides in the handling of the `reactionEmojiId` parameter. **Recommendations** Update to version 3.0.13 or later.